Package: libmailtools-perl
Version: 1.74-1
Severity: normal
Tags: patch
Mail::Internet by default sends a header field which includes the entire
'username' field from /etc/passwd. However, when using 'adduser' to add
a user, that field contains more than just the username: it contains a
comma-seperated list of fields. In some cases, that list of fields
includes, for example, a phone number. Regardless of whether this
information is included, the field will have additional commas included.
>From an email sent by caff (from signing-party):
Sender: "Ari,,," <[EMAIL PROTECTED]>
The attached patch is a simple change to the code to make the name field
*not* include these commas or other data in the field.
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-k7
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages libmailtools-perl depends on:
ii libtimedate-perl 1.1600-5 Time and date functions for Perl
ii perl 5.8.8-7 Larry Wall's Practical Extraction
ii perl-modules [libnet-perl] 5.8.8-7 Core Perl modules
libmailtools-perl recommends no packages.
-- no debconf information
--- /usr/share/perl5/Mail/Internet.pm 2006-01-21 04:16:10.000000000 -0500
+++ Mail/Internet.pm 2008-01-01 19:53:10.000000000 -0500
@@ -540,6 +541,12 @@
my $name = eval {local $SIG{__DIE__}; (getpwuid($>))[6]} || $ENV{NAME}
||"";
while($name =~ s/\([^\(\)]*\)//) { 1; }
+
+ # Strip extra fields: adduser-generated usernames have multiple comma
+ # seperated fields, only the first of which should be used to prevent
+ # accidental exposure of system-local information like phone numbers/
+ # room numbers.
+ $name = (split /,/, $name)[0];
if($name =~ /[^\w\s]/) {
$name =~ s/"/\"/g;
